Policies
Policies control access to Ondat namespaces. Policies can be configured at the group or user level so access can be controlled granularly.
Users can belong to one or more groups to control their Namespace permissions. Additionally user specific policies can be created to grant a user access to a namespace. Users can belong to any number of groups and have any number of user level policies configured.
Note: Users are created with access to the default namespace. Policies cannot be applied to the default namespace.
Create a policy
To start creating policies, at least one custom namespace and user are required. To see more information on how to create namespaces see our Namespace guide, for users see our Users CLI reference.
$ storageos namespace create testing --description quality-assurance
--display-name QA
$ storageos user create --user jim --groups qa
$ storageos policy create --user jim --namespace testing
The above commands created a namespace called testing, with a description and display name. A user jim was then created in the qa group and finally jim was given access rights to the testing namespace.
List all policies
To view policies, run:
$ storageos policy ls
ID USER GROUP NAMESPACE
6ad3c709-a16f-aa61-27d3-ec53526046d5 jim testing
Inspect policies
To inspect policies, run:
$ storageos policy inspect 6ad3c709-a16f-aa61-27d3-ec53526046d5
[
{
"spec": {
"user": "jim",
"namespace": "testing"
}
}
]
Removing policies
Removing a policy will remove access rights from users or groups that the policy affected.
To delete policies, run:
$ storageos policy rm 6ad3c709-a16f-aa61-27d3-ec53526046d5